Mobility: The Top ThreatsDave Jevans of Marble Security on How to Mitigate Risks
Mobile malware, jailbroken devices and unpatched systems are three of the top security threats to mobile workers. How can organizations mitigate the risks? Dave Jevans of Marble Security offers tips.
In examining the mobile threat landscape, two points stand out, says Jevans, the CTO of Marble Security, Inc.: 1) the growing ubiquity of smart phones, tablets and laptops being used in the workplace; 2) that paradigm shift of employees using their own devices versus company-issued equipment.
"I'm bringing in a device, which my company knows nothing about," Jevans says, describing the fundamental bring-your-own-device challenge. "They don't know if it's infected. They don't know what apps are on it. They don't know if there are any security vulnerabilities."
And this same device is going to be used to conduct work in any imaginable setting, on unsecured networks, and at risk of loss or theft.
"The security paradigm has completely changed to a very uncontrolled environment, a very uncontrolled network ... and yet the users are demanding to use those devices. So, it creates a whole new set of security challenges for IT security and for end-users."
Among those challenges: mobile malware borne by unsecured third-party apps; risks introduced by users "jailbreaking" their devices; and out-of-date operating systems that are unpatched and vulnerable to known exploits.
In an interview about top security threats to mobile workers, Jevans discusses:
- What's unique about the mobile threat landscape;
- Specific risks such as malware, jailbroken devices and unpatched systems;
- Security solutions to mitigate these risks.
Jevans is the CTO of Marble Security, Inc. His career in Internet security spans more than 20 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy. He also worked in the advanced technology group at Apple and ran an engineering project involving advanced operating systems. Currently, he serves as the chairman of the Anti-Phishing Working Group, a consortium of more than1,500 financial services companies, Internet service providers, law enforcement agencies and technology vendors dedicated to fighting e-mail fraud and identity theft online.
About Marble Security
TOM FIELD: To start out, tell us a little bit about yourself and your new organization, please.
DAVE JEVANS: Marble Security is a new company, and we're focused on the evolving threats against mobile workers on their own devices - on their iPhones, their Androids or even their laptops - and we really have come out of a strong background of security, looking at mobility for many years. My background includes 20 years in Internet security at companies like Valicert, Tumbleweed Communications, Teros, Differential and IronKey. I've been involved in all areas of encryption and authentication on the Internet, and I also am the chairman of the APWG. We started as the Anti-Phishing Working Group. We have about 2,000 member companies and government agencies all around the world, and we run conferences three times a year on electronic crime and the emerging threats.
Unique Mobile Threats
FIELD: Let's talk about the threats to mobile workers. What do you find that's unique about the mobile threatscape?
JEVANS: The mobile threatscape is really interesting in that, first off, it's an exploding space. If we think about the growth of mobile devices that we all have - your smart phones and now your tablets - the growth is unprecedented. We'll see over 300 million new Android phones and iPhones in the market this year. We'll probably be at about 600 million total deployed by the end of this year. The growth is exponential.
The other thing that's different is people are buying these devices and they want to use them at work, whereas in the past the paradigm for security has always been, "I'll buy you a computer." Work will buy you a computer. Work will provision the security software. Work will put the antivirus on it. Work will put firewalls on the network for you. When you think about the mobile space, it's completely the opposite, which is I'm bringing in a device which my company knows nothing about. They don't know if it's infected. They don't know what apps are on it. They don't know if there are any security vulnerabilities. They don't know the operating system. And not only am I bringing that into the network, I'm using that all around the world. I'm using it on my cell network. I'm going to the coffee shop and using their Wi-Fi or the airplane's Wi-Fi. The security pattern has completely changed to a very uncontrolled environment, a very uncontrolled network, and yet users are demanding to use those devices. It creates a whole new set of security challenges for IT security professionals and for end users.
The other thing that's happening is that the criminals have figured all this out as well. There are much more insidious forms of attacks at the network level, at the device level and at the app level that are coming against people using mobile devices.
FIELD: You put together some thoughts on what you call the top nine threats against mobile workers, and I'd like to discuss a few of those with you. Mobile malware, number one: it seems like for the past few years we hear this is the year of mobile malware. Next year is the year of mobile malware. From your perspective, how big of a challenge is mobile malware for organizations and individuals today?
JEVANS: Mobile malware has a very different challenge than PC-based malware. Here are a couple of reasons why. In PC-based malware, we know that it's a big problem. There are established vendors that deal with it. However, we know also that there's no 100-percent protection. We know that we need a layered security approach. For example, antivirus software ranges in effectiveness from 80 percent at the high end down to 20 percent. Most targeted malware these days antivirus won't pick it up. But we understand that, and there are many levels of mitigation in the PC space.
When we look at mobile malware, while there's much less of it quantitatively - for example, in the PC space we know there's at least 60 million unique pieces of malware and growing - in the Android space, maybe there's three-and-a-half thousand. Some people think there are as many as 12,000 different variants of malware on the mobile space. You could say, quantitatively, "Oh wow, it's not as bad." However, it's actually much more challenging, and here's why.
The growth rate of mobile malware is much faster than the growth rate of PC-based malware. There's just way more of it coming out percentage-wise from 2012 versus 2011 and moving into 2013. The growth rate's much higher.
The other thing is that the malware that we see on these mobile devices is very different in nature than the malware we see on the PC. On the PC, it's usually web-based drive-bys where you visit an evil website and it infects your computer at the operating system level. While there is some of that on the mobile platform, really what we're seeing is more applications that are malicious that users are consciously downloading. People are actually downloading things from various places on the net that they don't understand.
The next challenge is there's really no layered security model yet in mobile malware. There are some emerging mobile malware scanning products, and Marble Security has got one. But there aren't the other protections as people are using other networks. There aren't web filters on the Wi-Fi network, for example. E-mail can come from multiple places on a mobile device that an IT manager cannot control. It's very difficult to control which applications are on mobile devices, especially if you're letting users bring their own device in.
FIELD: Let me take you back to the jail-broken devices you mentioned, because that's one of the other threats that you talk about a lot. I know that users sort of pride themselves on their ability to jail-break devices. What are they most misunderstanding about the specific risk?
JEVANS: Users are really not understanding that jail-breaking a device doesn't just let them get cool apps for free, but it completely breaks the security model of the device. There are no protections once that security model has been broken. There are not products that can get in there and scan it and do things like that. The market's just too immature for that.
If you jail-break your device, you've opened yourself up to any app reading any data from any app, any app being able to get into the operating system. For example, we see oftentimes they'll open a back door onto your device, and with those devices the operating system is pretty powerful if you jail-break it or root it. You're really looking at a very sophisticated, powerful operating system underneath there. If they open a back door into it, hackers can log right into that device and monitor everything you do. It's worse than having a completely unprotected PC or Mac. You're actually far more vulnerable because they're just not designed for that.
FIELD: One of the other threats you talk about is unpatched systems, and we know that people are not protecting their mobile devices as they would their more stationary devices. How do we encourage and see better practices here?
JEVANS: As many people know, the unpatched device problem is one of the main routes of infection and malicious code being injected into users' computers and devices. This is because hackers are constantly finding what we call zero-day attacks. They're finding new vulnerabilities in operating systems as they're released or older versions or software that's part of it that's old, and, if you don't constantly update, what happens is those attacks get spread out to all the hackers on the Internet. Instead of one attacker having it, now everybody has it. They build it into all their malware, which means that, over time, the older your operating system or older the apps on it, the more vulnerable they actually become to attack and takeover.
The challenge here is with people bringing in their own computers or logging in from home, either on their own tablet device or their own laptop. It's very difficult today, or almost impossible, for an IT admin to enforce what version of operating system it is or what version of apps are up on that device.
If you think about the corporate environment with a corporate-issued device, with a network access controlled system, they can start to enforce patch management. They can say, "You're running a version of Windows that's known to have vulnerabilities that allow an attacker to send you a Word document that lets them break into your computer and then break into our network." They can enforce that through patch management at the network level and with agents on your device.
But let's say now you're at home and you're on an old Android tablet. Maybe it's got an operating system version from a year ago, year and a half ago. Maybe you're logging in from your own laptop that's got an operating system that's got known flaws in it. You're VPNing in, you're using corporate apps or you're getting corporate email, and you're on an effectively unpatched device that's completely vulnerable to these types of attacks.
What Marble Security is doing is in our app, in our agent, we allow IT to actually know what versions of operating systems you have on your devices, to put them into a risk-scoring engine that we host in the cloud that IT administrators can get to, and they can basically look at the health of users' own devices out in the field. It's nonintrusive to the user. It doesn't force patches on the user. It's still the users' own devices. It's not locking it down, but it gives risk scoring and then alerting to IT folks. They can choose to, for example, educate the user and put up a dialogue saying you're running an unpatched version and it's very dangerous. Please update your operating system versions; for example, on your Android or your Windows.
Alternatively, they can enforce and block access to the network and to applications if you're running on an unpatched device and educate folks further about running this older version at home [and that] it's dangerous. In addition to letting them know every time they try to access the network, you can also put controls in it and say we're going to warn you three times or we're going to warn you for a week, and after that we're going to automatically shut off your access until you update your operating system or the dangerous apps.
Phishing, Other Threats
FIELD: There are a couple of other threats I want to ask you about, and they're somewhat related. The first is spear-phishing, which we hear so much about these days. What are the tell-tale signs that individuals need to monitor for?
JEVANS: Spear-phishing is one of the most insidious forms of attacks which can be part of an advanced-persistent-threat attack. Spear-phishing is a targeted e-mail that goes directly to a user that will have a lot of personal information in it, so it has the user's first name and last name. If it's a corporate attack, it might know the department name and what job function you are. It will probably come from and look like your IT or maybe from a customer, vendor or an employee. These are very, very targeted attacks that are usually the result of some form of surveillance. They're trying to break into your company.
Now people might think, "Well, who would try to break into my company?" You'd be surprised. There's a reason to break into almost every company. There are valuable assets in every company, particularly information, but other assets as well: compromising payment systems, spreading out the users, etc.
Spear-phishing is a problem across the board. At the enterprise mail server, people need to be monitoring for e-mails that come from outside the network that pretend to be from inside the network using technologies like DMARC to block it, SPF and Sender ID and DKIM. But the problem is when you're outside on the network, when you've got users out there, they need to be very vigilant because they may not only be receiving e-mail from the corporate mail server but they may be receiving e-mail on their phone from Gmail.
One of the things that IT folks need to be aware of is that people who are outside of the network, particularly on a mobile device, are much more likely to click on a spear-phishing e-mail. The reason for this is that people on these mobile devices are reading e-mail all the time. They're sitting in meetings. They're on the airplane. They're waiting for a meeting. They're on e-mail all the time. That's coming directly to them. They might not check e-mail on their work computer for hours at a time. Maybe they check it a couple times a day. Those e-mails are fresh; they're delivered directly to the user. Typically in most mobile clients you don't get the e-mail headers. It's harder to tell if it's fake or not. There's links in it or it will tell you to download an app. This is where profiling the computer and having an agent on the end user's computer, on their phone and on their tablet can really help.
For example, you can look if they installed a malicious application and you can look if three or four people installed a malicious application. By a malicious application, I mean one that - this is a typical thing to look out for - has never been seen before by a scanner, there's no signature in a database for it, and as you run it in a VM - which is one of the things that we do at Marble to analyze the behavior - it starts taking data off the device. Those are things that IT folks can look for and that you can notify users about. When they try to log in, you can scan their device, whether it's a PC, a laptop, or an Android or iPhone, and you can tell them, "This looks like a really risk application. That's a very typical sign of a spear-phishing campaign."
APT: Most Dangerous Threat
FIELD: You mentioned advanced persistent threat, and I want to follow up on that. In your notes, you refer to APT as the most dangerous threat. Why's that?
JEVANS: One way to describe it is it's the boogeyman, which means we don't exactly know what it is, but it's very scary. The reality of APTs is that it's really the first two words. "Advanced" typically means that the highest levels of criminal technology are being used - malicious apps, malware, spear-phishing attacks that have never been seen before. Traditional technologies are unlikely to detect it.
The second is "persistent," which means that this is not a random virus that gets in your network. It's not a port scan of your network that just randomly takes advantage of a vulnerability found on your network or your router. These are persistent, targeted attacks by people who really want to get at your employees and get into your network. Typically what we've seen is APTs target the end user. The best way to get into your network, the best way to compromise information, is by compromising the user. In a mobile world, as we've talked about, you don't control the user's device. It's hard to control where they get e-mail from. It's hard to control which apps they're downloading. These all need to be monitored, alerted on and managed in a risk management way, centralized so that you can tell if there are risky behaviors or new strange behaviors happening in the field on the user's own device.
If we take a look at some of the biggest security attacks that have recently happened - for example, breaches at major media outlets, breaches at major security companies, breaches at major government agencies over the last four to six months - the theme is the same. The end user is being targeted with a very targeted attack that will only attack three or four users. Maybe they profiled them through LinkedIn. Maybe they profiled them through Facebook. They target those users and infect them. Those users are typically sensitive users - management, vice presidents, IT professionals - and from there they can work their way into the network and get other vulnerabilities and completely compromise your systems because it's coming from trusted devices in your network when they move back in.
APTs are also very dangerous because they are blended attacks. They'll use highly sophisticated social engineering to get your user to respond to an e-mail, click on something, download an app or change a permission on their device. They will typically also involve network attacks. They will involve customized malicious code or customized malicious applications. They will target systems that have never been targeted before. For example, there's a new attack that just came out at the beginning of February where bad guys are now targeting the internal payment systems inside of companies and compromising them to automatically issue hundreds of thousands of dollars of payments out. That's never been seen before. These are very advanced attacks. It takes a mindset change in IT security to think that there are reasons why people could be attacking us and looking at us for months and months and months at a time, and mostly the way they're going to come in is through my end users.
FIELD: How do Marble Security solutions help organizations to mitigate some of these threats?
JEVANS: What we've done at Marble is we thought about not just what's happening today, but also looked at the historical record of how attacks and cyber crime has evolved over the last ten years. Then, we've also projected it out into the future. Here's where the attackers are coming and here are the new types of attackers. We've built a proactive system and a proactive roadmap around how we take security forward, across many different devices, not just corporate-issued equipment but also the equipment that your users are buying for themselves and using to access your systems.
This is a very different approach. If we look at the state of the art today in mobile security, it's been almost exclusively focused on the problem of if my user leaves his device in a taxi cab, I want to make sure there's a password on it so that if someone finds it they can't get in and read his e-mail, and I want to be able to remotely wipe that device. That's device management. That's yesterday's technology. It's important, but that's not where all the threats are. The threats are in the two areas moving forward, which is the apps, so security needs to be applied to all the apps that are on user's devices, and then the network. There are numerous attacks coming at the network level: DNS poisoning attacks, man-in-the-middle attacks, and bogus certificates being out there. [There are] all kinds of things going on at the network level.
What Marble Security is doing is taking a comprehensive approach to allow people to use devices out in the field, any device. We call it mobile security management, so the devices, security and network. Put it together in a super easy-to-use format. Whether you're browsing the Internet, whether you're using apps on the Internet, we provide a security layer which involves virtualizing apps, virtualizing browsers, secure networks wherever you go on any network, risk management, risk filtering and scoring, and intelligent app analysis in the cloud, all of this done seamlessly to the user. But as the user base grows, we're building out this intelligence network where we've got more and more data that looks for anomalies, and it works across any device on any network. That's how Marble Security is taking the security movement forward as we see consumerization of IT.
Influence Better Practices
FIELD: Final question for you. What's the bottom line? How do organizations begin to influence better security practices on these devices that are outside of the organization's direct control?
JEVANS: What organizations need to do to better influence security practices on these devices is first come up with a strategic plan around the fact that people will be bringing devices in. The days of you controlling them is over. People will bring devices in, and there are a lot of great reasons for it. But if you don't take a proactive stance, it's going to happen to you, not with you and your help in putting it into an overall security posture. That's the first thing.
The next thing is to think about it from a couple of different angles. One is to understand the current threats and the emerging threats. That's why we've been talking about the nine critical threats beyond just setting a password on your device. All of that threatscape needs to be understood as a problem that needs to be addressed across all of it. They need to start thinking about, "I need to have some security footprint even on use-your-own devices." With Marble Security, that's what you can do. It won't impact the user. It doesn't restrict them from things. You can make it restrictive or you can make it an enabling technology, which is how we think about security moving forward. Make it something that enables people, that's easy to use, but that also can manage things centrally and in the cloud for IT.
The next piece is to think about it from a risk management perspective. Policy enforcement is important, but you also want to look at a risk-scoring profile, which can look at devices in the field and say, "I know there are new things coming. I'm not sure what they are. They probably fit in these nine categories of threats. Maybe there's a new one that we don't know about that's coming." But you need to be able to manage and look at behavior across these devices and then score it, look at the risk, analyze it and see if there are new, anomalous behaviors.